From owner-freebsd-hackers@FreeBSD.ORG Wed Mar 30 18:29:52 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C9DB16A4CE for ; Wed, 30 Mar 2005 18:29:52 +0000 (GMT) Received: from marlena.vvi.at (marlena.vvi.at [208.252.225.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id D683543D55 for ; Wed, 30 Mar 2005 18:29:51 +0000 (GMT) (envelope-from www@marlena.vvi.at) Received: from marlena.vvi.at (localhost.marlena.vvi.at [127.0.0.1]) by marlena.vvi.at (8.12.10/8.12.9) with ESMTP id j2UIU0h3010222; Wed, 30 Mar 2005 10:30:01 -0800 (PST) (envelope-from www@marlena.vvi.at) Received: (from www@localhost) by marlena.vvi.at (8.12.10/8.12.10/Submit) id j2UITrlt010221; Wed, 30 Mar 2005 10:29:53 -0800 (PST) (envelope-from www) Date: Wed, 30 Mar 2005 10:29:53 -0800 (PST) Message-Id: <200503301829.j2UITrlt010221@marlena.vvi.at> To: elric@imrryr.org From: "ALeine" cc: freebsd-hackers@freebsd.org cc: phk@phk.freebsd.dk cc: tech-security@netbsd.org Subject: Re: A bunch of memory allocation bugs in CGD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2005 18:29:52 -0000 elric@imrryr.org wrote: > Thanks for having a look at that. I have checked in a fix. Thanks for responding so quickly. > I presume that you have addressed the cases in GBDE where > malloc's return code has not been checked? If so, perhaps > cvsweb is a little behind. It looks to me like 2 or 4 mallocs > can use a buffer without checking the return code. There are two malloc bugs in GBDE, but both are minor and have no security implications. Both bugs are in src/sbin/gbde/gbde.c: - the first bug is in cmd_nuke() and could not be seen as much of a bug because cmd_nuke() is used to destroy lock sectors. If this fails due to memory starvation no sensitive information is leaked, only a write(2) call fails and gbde terminates correctly upon catching and reporting the write error. - the second bug is in cmd_write(), where a buffer is allocated and checked, but not immediately, so there is a case where it can be used before it gets checked. However, even if this happens, only a read(2) call fails and gbde terminates correctly upon catching and reporting the read error. In src/sys/geom/bde/g_bde.c there is also a g_malloc() allocated buffer which is unchecked, but since the allocation is done with the M_WAITOK flag it's safe. This means there are no malloc bugs in GBDE which could cause a segmentation violation. I have sent the patch for the minor malloc bugs I described above to Poul-Henning, so I expect him to review it and commit the appropriate fix in the near future. ALeine ___________________________________________________________________ WebMail FREE http://mail.austrosearch.net